1 Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data Vipul Goyal Omkant Pandey Amit Sahai Brent Waters UCLA SRI

2 Traditional Encrypted Filesystem File 1 Owner: John File 2 Owner: Tim  Encrypted Files stored on Untrusted Server  Every user can decrypt its own files  Files to be shared across different users?

3 A New Encrypted Filesystem File 1 “Creator: John” “Computer Science” “Admissions” “Date: ” File 2 “Creator: Tim” “History” “Admissions” “Date: ”  Label files with attributes

4 An Encrypted Filesystem File 1 “Creator: John” “Computer Science” “Admissions” “Date: ” File 2 “Creator: Tim” “History” “Admissions” “Date: ” Authority OR AND “Computer Science” “Admissions” “Bob”

5 Threshold Attribute-Based Enc. [SW05]  Sahai-Waters introduced ABE, but only for “threshold policies”: Ciphertext has set of attributes User has set of attributes If more than k attributes match, then User can decrypt.  Main Application- Biometrics

6 General Attribute-Based Encryption  Ciphertext has set of attributes  Keys reflect a tree access structure  Decrypt iff attributes from CT satisfy key’s policy OR AND “Computer Science” “Admissions” “Bob”

7 Central goal: Prevent Collusions  Users shouldn’t be able to collude AND “Computer Science” “Admissions” AND “History” “Hiring” Ciphertext = M, {“Computer Science”, “Hiring”}

8 Related Work  Access Control [Smart03], Hidden Credentials [Holt et al ] Not Collusion Resistant  Secret Sharing Schemes [Shamir79, Benaloh86…] Allow Collusion

9 Techniques We combine two ideas  Bilinear maps  G eneral Secret Sharing Schemes

10 Bilinear Maps  G, G 1 : multiplicative of prime order p.  Def: An admissible bilinear map e: G  G  G 1 is: –Non-degenerate: g generates G  e(g,g) generates G 1. –Bilinear: e(g a, g b ) = e(g,g) ab  a,b  Z, g  G –Efficiently computable. –Exist based on Elliptic-Curve Cryptography

11 Secret Sharing [Ben86]  Secret Sharing for tree-structure of AND + OR OR AND “Computer Science” “Admissions” “Bob” y y y r (y-r) Replicate secret for OR’s. Split secrets for AND’s.

12 The Fixed Attributes System: System Setup Public Parameters g t 1, g t 2,.... g t n, e(g,g) y “Bob”, “John”, …, “Admissions” List of all possible attributes:

13 Encryption Public Parameters g t 1, g t 2, g t 3,.... g t n, e(g,g) y Ciphertext g st 2, g st 3, g st n, e(g,g) sy Select set of attributes, raise them to random s M File 1 “Creator: John” (attribute 2) “Computer Science” (attribute 3) “Admissions” (attribute n)

14 Key Generation Public Parameters Private Key g y 1 /t 1, g y 3 /t 3, g y n /t n g t 1, g t 2,.... g t n, e(g,g) y Fresh randomness used for each key generated! Ciphertext g st 2, g st 3, g st n, e(g,g) sy M OR AND “Computer Science” “Admissions” “Bob” y y y r (y-r) y3=y3= yn=yn= y1=y1=

15 Decryption e(g,g) sy 3 e(g,g) sy n = e(g,g) s(y-r+r) = e(g,g) sy (Linear operation in exponent to reconstruct e(g,g) sy ) Ciphertext g st 2, g st 3, g st n, Me(g,g) sy Private Key g y 1 /t 1, g y 3 /t 3, g y n /t n e(g,g) sy 3

16 Security  Reduction: Bilinear Decisional Diffie-Hellman  Given g a,g b,g c distinguish e(g,g) abc from random  Collusion resistance  Can’t combine private key components

17 The Large Universe Construction: Key Idea Public Function T(.), e(g,g) y Private Key  Any string can be a valid attribute Ciphertext g s, e(g,g) sy M For each attribute i: T(i) s For each attribute i g y i T(i) r i, g r i e(g,g) sy i Public Parameters

18 Extensions  Building from any linear secret sharing scheme  In particular, tree of threshold gates…  Delegation of Private Keys

19 Delegation AND “Computer Science” “admissions” OR “ Bob ”  Derive a key for a more restrictive policy Year=2006  Subsumes Hierarchical-IBE [Horwitz-Lynn 02, …] Bob’s Assistant

20 Applications: Targeted Broadcast Encryption  Encrypted stream AND “Soccer” “Germany” AND “Sport” “ ” Ciphertext = S, {“Sport”, “Soccer”, “Germany”, “France”, “ ”}

21 Thank You